mount: Fix mounting any file systems from the host system

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/libpakfire/mount.c b/src/libpakfire/mount.c
index bff245f97ab70a42fa32247ac16a23160ec1ab1a..5682b6c251f66e3ad35e6ed8eb1425b50c839113 100644 (file)
--- a/src/libpakfire/mount.c
+++ b/src/libpakfire/mount.c
@@ -43,25 +43,43 @@ static const struct pakfire_mountpoint {
        int flags;
        const char* options;
 } mountpoints[] = {
-       { "pakfire_proc",  "proc",         "proc",  MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, },
-
-       // Bind mount /proc/sys as read-only with the following exceptions:
-       //  * /proc/sys/net
-       { "/proc/sys",     "proc/sys",     "bind",  MS_BIND, NULL, },
-       { "/proc/sys/net", "proc/sys/net", "bind",  MS_BIND, NULL, },
-       { "/proc/sys",     "proc/sys",     "bind",  MS_BIND|MS_RDONLY|MS_REMOUNT, NULL, },
-
-       // Bind mount /sys as read-only
-       { "/sys",          "sys",          "bind",  MS_BIND, NULL, },
-       { "/sys",          "sys",          "bind",  MS_BIND|MS_RDONLY|MS_REMOUNT, NULL, },
+       // Mount a new instance of /proc
+       { "pakfire_proc",        "proc",               "proc",
+               MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, },
+
+       // Make /proc/sys read-only (except /proc/sys/net)
+       { "/proc/sys",           "proc/sys",           "bind",  MS_BIND|MS_REC, NULL, },
+       { "/proc/sys/net",       "proc/sys/net",       "bind",  MS_BIND|MS_REC, NULL, },
+       { "/proc/sys",           "proc/sys",           "bind",
+               MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+
+       // Deny write access to /proc/sysrq-trigger (can be used to restart the host)
+       { "/proc/sysrq-trigger", "proc/sysrq-trigger", "bind",  MS_BIND|MS_REC, NULL, },
+       { "/proc/sysrq-trigger", "proc/sysrq-trigger", "bind",
+               MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+
+       // Make /proc/irq read-only
+       { "/proc/irq",           "proc/irq",           "bind",  MS_BIND|MS_REC, NULL, },
+       { "/proc/irq",           "proc/irq",           "bind",
+               MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+
+       // Make /proc/bus read-only
+       { "/proc/bus",           "proc/bus",           "bind",  MS_BIND|MS_REC, NULL, },
+       { "/proc/bus",           "proc/bus",           "bind",
+               MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+
+       // Bind-Mount /sys ready-only
+       { "/sys",                "sys",                "bind",  MS_BIND|MS_REC, NULL, },
+       { "/sys",                "sys",                "bind",
+               MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
 
        // Create a new /dev
-       { "pakfire_dev",   "dev",          "tmpfs", MS_NOSUID|MS_NOEXEC,
-               "mode=755,size=4m,nr_inodes=64k", },
-       { "/dev/pts",      "dev/pts",      "bind",  MS_BIND, NULL, },
+       { "pakfire_dev",         "dev",                "tmpfs", MS_NOSUID|MS_NOEXEC,
+               "mode=0755,size=4m,nr_inodes=64k", },
+       { "/dev/pts",            "dev/pts",            "bind",  MS_BIND, NULL, },
 
        // Create a new /run
-       { "pakfire_tmpfs", "run",          "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NODEV,
+       { "pakfire_tmpfs",       "run",                "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NODEV,
                "mode=755,size=4m,nr_inodes=1k", },
 
        // The end